I am getting ready to replace an aging residential AP in my office network, and I want to create a more robust solution than the one that I am replacing. Our current solution doesn't include separate guest access. There is only one SSID and it puts everyone on the LAN. To date, I have been using MAC filtering to limit access, but this is becoming quite cumbersome.

I want to create a situation where one SSID will put my internal users on the LAN and a second SSID for guest access that will go straight to the internet. The second SSID will have to provide those clients with DCHP and DNS services.

I currently have a Pix 506e firewall, 1841 router and a Linksys WAP11.

Can I execute this with something like the D-Link DAP-2553? I would really rather use a Cisco device because I want to learn more about them, but all of their small business APs have terrible reviews. (see WAP4410N)

It depends on what you have for hardware on your existing network. Typically you have a switch (per network range or with vlan's configure) that would plug into a port on your firewall. You would then configure rules in your firewall for that physical network or vlan so that any DHCP traffic (usually called an IP helper) is sent to a designated DCHP server that is configured to issue address for the range you want to use. Then you would configure your internet access as per normal for whatever device you are using just like any other network

I think I am going to pull the trigger on this in a few days. I want to finish reviewing the documentation before doing so. Thanks for pointing me in this direction.

The Unifi Line won't handle you dhcp, they are strictly an access point. Typically you use your Existing DHCP server to handle you DHCP requests. Here is how I do it for our network

my AP's connect to a small switch that only they use.

My AP's then connect into my firewall (a sonicwall 4100 pro)

MY AP's have 2 networks My guest and my private, the guest only has internet access both are on a separate IP range

The sonicwall sorts out the dhcp requests from any device connecting to the wireless (sonicwall calls this service IP helper) and passes them to my DCHP server on the LAN which is on a third subnet. the dhcp server is configured with all 3 subnets so it responds with the dhcp info to the client giving them a valid address

It costs more, but that's Cisco. I can't speak to the reviews you've seen but that's what return policies were made for. If the unit doesn't perform to your satisfaction; send it back. I'd always opt for going with a common vendor when dealing with networking equipment. The pix and the 541 can work together to provide you the best level of security.

I haven't found anything that can compare to them for ease of use, features, manageability and price. the start at $80 per AP

you can do up to 4 SSID's, VLAN's Guest networks etc. DCHP would have to be handled separately but if you already have a DHCP server you can just create a new range on it and use your existing network infrastructure and assign that range to your Guest WLAN

To my understanding, which may not be that great, you could get a dual-band router/access point that would provide you with two separate SSID's like you want. I use Apple's Airport Extreme, which is a little pricey, but it has been worth it to me. I don't use it with the Dual-Band function enabled, but rather as an access point. However, I can easily test that for you if you want me to. I can use the second SSID to create a guest network, and see if it supplies connected devices with IP addresses from it's own DHCP range.

Thank you for the offer to test the functionality of your airport device, but I don't want to add another router because I want to leave my existing 1841 in place. I really just want to add an access point.

Thank you for the offer to test the functionality of your airport device, but I don't want to add another router because I want to leave my existing 1841 in place. I really just want to add an access point.

you should look at the Unifi line then like I suggested. they are simply an access point that you drop in place with your existing setup and they support up to 4 SSID's.

Dual band has nothing to do with the number of SSID's a device can support. that means it can support connections on 2 different frequency ranges at once like 2.4 and 5.8 GHZ.

molan, you are correct. Dual-Band does not neccesarily mean multiple SSID's are supported. Often they are though. However, I was mistaken about my Airport Extreme, and it was my other Access Point that I was thinking of. I cannot recommend it however, as we are going to be replacing it shortly due to connectivity issues.

you should look at the Unifi line then like I suggested. they are simply an access point that you drop in place with your existing setup and they support up to 4 SSID's.

I am checking out their page now. If I create another DHCP range (say 192.168.1.1-254) for the guest network, how will I make sure that the subnet gets to the web?

It depends on what you have for hardware on your existing network. Typically you have a switch (per network range or with vlan's configure) that would plug into a port on your firewall. You would then configure rules in your firewall for that physical network or vlan so that any DHCP traffic (usually called an IP helper) is sent to a designated DCHP server that is configured to issue address for the range you want to use. Then you would configure your internet access as per normal for whatever device you are using just like any other network

What kind of configuration changes would i need to make to have the 541N working in conjunction with the 506e?

Would I forward only 80 and 443 traffic through the guest network and deny all other requests?

the 541N will automatically restrict access to your network for anyone who connects the the "Guest" WiFi network. you won't have to do a thing. No need for messing with existing DHCP either. 541N will work with your existing DHCP services.

I second molan's motion on UniFi. He gave me some info on this unit in a post I made, I did the research, and it is what I will be getting for a particular zone in our facility where we want guest wifi and don't have any other reasonable options.

It depends on what you have for hardware on your existing network. Typically you have a switch (per network range or with vlan's configure) that would plug into a port on your firewall. You would then configure rules in your firewall for that physical network or vlan so that any DHCP traffic (usually called an IP helper) is sent to a designated DCHP server that is configured to issue address for the range you want to use. Then you would configure your internet access as per normal for whatever device you are using just like any other network

I think I am going to pull the trigger on this in a few days. I want to finish reviewing the documentation before doing so. Thanks for pointing me in this direction.

I second molan's motion on UniFi. He gave me some info on this unit in a post I made, I did the research, and it is what I will be getting for a particular zone in our facility where we want guest wifi and don't have any other reasonable options.

How do you plan to deal with the DHCP issue? From reading the user guide I see that I can exclude access to certain subnets when I setup the guest network, but how do I setup my DHCP server to assign a different set of addresses to only that guest network because I don't want to have users on the LAN segment and receiving those addresses by mistake.

There's a lot to be said for using a single solution across your network infrastructure in terms of manamenent and interoperability. If you have cisco routers, switches and firewall, id' lean in that direction. I'm just sayin......

I second molan's motion on UniFi. He gave me some info on this unit in a post I made, I did the research, and it is what I will be getting for a particular zone in our facility where we want guest wifi and don't have any other reasonable options.

How do you plan to deal with the DHCP issue? From reading the user guide I see that I can exclude access to certain subnets when I setup the guest network, but how do I setup my DHCP server to assign a different set of addresses to only that guest network because I don't want to have users on the LAN segment and receiving those addresses by mistake.

Since I don't have the UniFi yet, I can't say for sure. Maybe molan or someone else with direct experience can expand. My understanding (though I may be way off) is that the UniFi handles the guest network internally and that all guest traffic, from your internal DHCP server's point of view, is flowing through the UniFi access point's reserved IP on your DHCP server.

It depends on what you have for hardware on your existing network. Typically you have a switch (per network range or with vlan's configure) that would plug into a port on your firewall. You would then configure rules in your firewall for that physical network or vlan so that any DHCP traffic (usually called an IP helper) is sent to a designated DCHP server that is configured to issue address for the range you want to use. Then you would configure your internet access as per normal for whatever device you are using just like any other network

I think I am going to pull the trigger on this in a few days. I want to finish reviewing the documentation before doing so. Thanks for pointing me in this direction.

The Unifi Line won't handle you dhcp, they are strictly an access point. Typically you use your Existing DHCP server to handle you DHCP requests. Here is how I do it for our network

my AP's connect to a small switch that only they use.

My AP's then connect into my firewall (a sonicwall 4100 pro)

MY AP's have 2 networks My guest and my private, the guest only has internet access both are on a separate IP range

The sonicwall sorts out the dhcp requests from any device connecting to the wireless (sonicwall calls this service IP helper) and passes them to my DCHP server on the LAN which is on a third subnet. the dhcp server is configured with all 3 subnets so it responds with the dhcp info to the client giving them a valid address

It depends on what you have for hardware on your existing network. Typically you have a switch (per network range or with vlan's configure) that would plug into a port on your firewall. You would then configure rules in your firewall for that physical network or vlan so that any DHCP traffic (usually called an IP helper) is sent to a designated DCHP server that is configured to issue address for the range you want to use. Then you would configure your internet access as per normal for whatever device you are using just like any other network

I think I am going to pull the trigger on this in a few days. I want to finish reviewing the documentation before doing so. Thanks for pointing me in this direction.

The Unifi Line won't handle you dhcp, they are strictly an access point. Typically you use your Existing DHCP server to handle you DHCP requests. Here is how I do it for our network

my AP's connect to a small switch that only they use.

My AP's then connect into my firewall (a sonicwall 4100 pro)

MY AP's have 2 networks My guest and my private, the guest only has internet access both are on a separate IP range

The sonicwall sorts out the dhcp requests from any device connecting to the wireless (sonicwall calls this service IP helper) and passes them to my DCHP server on the LAN which is on a third subnet. the dhcp server is configured with all 3 subnets so it responds with the dhcp info to the client giving them a valid address

So would the UniFi then work in my situation? The documentation makes it sound like it would. My plan was to plug the UniFi into our network switch (behind our firewall) with the understanding that connections on the guest SSID would not have access to the rest of our network. Server 2008 R2 handles DHCP, and is only configured for one subnet. Could you clarify if what I'm hoping will work, actually will?